git.kernel.dk Git - linux-2.6-block.git/commit

author	Hanno Böck <hanno@hboeck.de>
	Mon, 28 Aug 2023 16:41:17 +0000 (18:41 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 5 Oct 2023 09:24:43 +0000 (11:24 +0200)
commit	8d1b43f6a6df7bcea20982ad376a000d90906b42
tree	cd67b27f4d96a1b65906bceb1ba21e1d0deee133	tree \| snapshot
parent	7cda0b9eb6eb9e761f452e2ef4e81eca20b19938	commit \| diff

tty: Restrict access to TIOCLINUX' copy-and-paste subcommands

TIOCLINUX can be used for privilege escalation on virtual terminals when
code is executed via tools like su/sudo and sandboxing tools.

By abusing the selection features, a lower-privileged application can
write content to the console, select and copy/paste that content and
thereby executing code on the privileged account. See also the poc
here:

https://www.openwall.com/lists/oss-security/2023/03/14/3

Selection is usually used by tools like gpm that provide mouse features
on the virtual console. gpm already runs as root (due to earlier
changes that restrict access to a user on the current TTY), therefore
it will still work with this change.

With this change, the following TIOCLINUX subcommands require
CAP_SYS_ADMIN:

* TIOCL_SETSEL - setting the selected region on the terminal
* TIOCL_PASTESEL - pasting the contents of the selected region into
the input buffer
* TIOCL_SELLOADLUT - changing word-by-word selection behaviour

The security problem mitigated is similar to the security risks caused
by TIOCSTI, which, since kernel 6.2, can be disabled with
CONFIG_LEGACY_TIOCSTI=n.

Signed-off-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Günther Noack <gnoack@google.com>
Tested-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20230828164117.3608812-2-gnoack@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>